helpdesk icon indicating copy to clipboard operation
helpdesk copied to clipboard

Published 20 hours ago verified publisher icon jenkins-infra

Jenkins Controllers in Azure: use workload identity management to allow managing Azure VM agents without credentials

Open dduportal opened this issue 2 years ago • 3 comments
trafficstars

Service(s)

cert.ci.jenkins.io, ci.jenkins.io, trusted.ci.jenkins.io

Summary

Credential are annoying because they need to be rotated when expired and leads to service interruption. Also, having credentials means having to store them encrypted and manage the safety of these persistent but sensitive data.

We had numerous issues wasting our time on this: https://github.com/jenkins-infra/helpdesk/issues/3395, https://github.com/jenkins-infra/helpdesk/issues/3459 etc..

The goal of this issue is to use Azure Workload Identity for these controllers to authenticate (instead of using a SP/App credential).

Controller with which to proceed:

  • [ ] cert.ci.jenkins.io
  • [x] ci.jenkins.io
  • [ ] trusted.jenkins.io

Note: Workload identity can be used with AKS pods. Will be a subsequent issue: we focus on the combo "Azure VM Controller -> Azure VM agents" only, which excludes the following:

  • [ ] infra.ci.jenkins.io (which uses Azure VM but runs inside a pod)
  • [ ] release.ci.jenkins.io (which does not even use any Azure VM)

Reproduction steps

No response

dduportal avatar Mar 20 '23 17:03 dduportal

release.ci.jenkins.io (because it does not spawn any VM, but only containers)

? what's that got to do with workload identity. It can use it just fine

timja avatar Mar 20 '23 19:03 timja